Smitfraud, Virtumonde and Others

[thepicman]

Spybot cannot get rid of Smitfraud or Virtumond and Kapersky is finding Virii that Avast! misses.

Logs are below and attached. Thanks!

TPM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:20 PM, on 2/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\Avast Program\aswUpdSv.exe
E:\Avast Program\ashServ.exe
C:\WINNT\System32\svchost.exe
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
E:\Program Files\Timestone Software\License Server\tsLServer.exe
e:\Program Files\Tyan Computer Corp\Tyan System Monitor Server Agent\TSMDataEngine.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
E:\Program Files\Utils\OneTouch.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\AVASTP~1\ashDisp.exe
E:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
E:\PROGRA~1\retrorun.exe
E:\Avast Program\ashMaiSv.exe
E:\Avast Program\ashWebSv.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MaxtorOneTouch] E:\Program Files\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] E:\PROGRA~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [CTSysVol] e:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] E:\AVASTP~1\ashDisp.exe
O4 - HKLM\..\Run: [MediaFace Integration] E:\CD Lables\SetHook.exe
O4 - HKLM\..\Run: [NA1Messenger] E:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: MonacoGamma.lnk = E:\Program Files\Monaco\MonacoEZColor 2.0\MonacoGamma.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: Logo Calibration Loader.lnk = E:\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = E:\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Avast Program\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Avast Program\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Avast Program\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Avast Program\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - E:\PROGRA~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - E:\PROGRA~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: Timestone License Server - Terra Australis Group - E:\Program Files\Timestone Software\License Server\tsLServer.exe
O23 - Service: TSMDataEngine - Tyan Computer Corp - e:\Program Files\Tyan Computer Corp\Tyan System Monitor Server Agent\TSMDataEngine.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 6415 bytes

[thepicman]

here is my Kapersy log.

Thanks!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 05, 2008 5:42:15 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 509999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
X:\
Y:\

Scan Statistics:
Total number of scanned objects: 272328
Number of viruses found: 5
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:03:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\NA1Msgr.exe.1dbe75f8.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008020520080206\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Temporary\kernInst.exe Infected: Trojan.Win32.Agent.edq skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\b122.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\drivers\classpnpp.sys Object is locked skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_27c.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_22c.dat Object is locked skipped
C:\WINNT\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\WINNT\system32\Perflib_Perfdata_5f0.dat Object is locked skipped
C:\WINNT\AdvPack.log Object is locked skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\WINNT\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\VundoFix Backups\pmnnnon.dll.bad Infected: Trojan.Win32.BHO.auf skipped
C:\VundoFix Backups\vturstu.dll.bad Infected: Trojan.Win32.BHO.auf skipped
C:\VundoFix Backups\yayyxyx.dll.bad Infected: Trojan.Win32.BHO.auf skipped
E:\Avast Program\DATA\aswResp.dat Object is locked skipped
E:\Avast Program\DATA\Avast4.db Object is locked skipped
E:\Avast Program\DATA\integ\avast.int Object is locked skipped
E:\Avast Program\DATA\log\nshield.log Object is locked skipped
E:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-094003-256.dll Infected: Trojan.Win32.BHO.auf skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\master.mdf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\mastlog.ldf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\model.mdf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\modellog.ldf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\tempdb.mdf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\templog.ldf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\upswsdb.ldf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\upswsdb.mdf Object is locked skipped
E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\LOG\ERRORLOG Object is locked skipped

Scan process completed.

I am already on page 3

Please to help me with my rucksack.

Thanks!

TPM

I forgot to mention I ran Vundofix (both in safe mode and not) and while yayyxyx.dll kept returning, it seems to have finally been defeated. Spybot is now only reporting smitfraud.C

Thanks!

Edit: The Waiting Room: Post here if waiting for help longer than four days

[thepicman]

ComboFix 08-02.05.3 - Administrator 02/06/2008 14:35:42.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.786 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\temp\tn3
C:\WINNT\b122.exe
C:\WINNT\system32\config\SAM.SAV
C:\WINNT\system32\drivers\classpnpp.sys . . . . failed to delete
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\pac.txt
C:\WINNT\system32\vjskiblp.dllbox
C:\WINNT\Web\default.htt
C:\WINNT\system32\drivers\classpnpp.sys . . . . failed to delete
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLASSPNPP
-------\classpnpp


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 14:39 . 08-02-06 14:39 <DIR> d-------- C:\temp\tn3
2008-02-06 14:38 . 08-02-06 14:38 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_28c.dat
2008-02-06 13:14 . 03-09-20 19:45 236,304 --a------ C:\kmd.exe
2008-02-05 11:33 . 08-02-06 13:20 644,548 ---h----- C:\WINNT\ShellIconCache
2008-02-05 08:52 . 08-02-05 08:52 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_228.dat
2008-02-04 22:17 . 08-02-04 22:17 167,545 --------- C:\WINNT\system32\drivers\core.cache.dsk
2008-02-04 14:37 . 08-02-04 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 10:42 . 08-02-04 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 10:41 . 08-02-04 10:42 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-02-01 15:37 . 08-02-06 13:20 2,444 --a------ C:\WINNT\wininit.ini
2008-02-01 15:21 . 08-02-01 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 10:51 . 08-02-01 10:51 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-01 10:50 . 08-02-01 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 10:48 . 08-02-01 10:48 <DIR> d-------- C:\WINNT\system32\lis6
2008-02-01 10:48 . 08-02-01 10:48 <DIR> d-------- C:\WINNT\system32\kps5
2008-02-01 10:48 . 08-02-01 10:48 <DIR> d-------- C:\WINNT\system32\hs9
2008-02-01 10:48 . 08-02-01 10:48 86,016 --------- C:\WINNT\system32\drivers\classpnpp.sys
2008-02-01 10:48 . 08-02-01 10:48 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-01 10:48 . 08-02-01 10:48 36,864 --a------ C:\WINNT\17PHolmes1000106.exe
2008-02-01 10:47 . 08-02-01 10:47 <DIR> d-------- C:\WINNT\system32\tip4
2008-02-01 10:47 . 08-02-01 10:47 <DIR> d-------- C:\WINNT\system32\nGpxx01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 16:19 --------- d-----w C:\Program Files\Microsoft SQL Server
2005-03-23 22:35 271 ---h--w C:\Program Files\desktop.ini
2005-03-23 22:35 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [03-08-06 16:08 86016]
"Tweak UI"="TWEAKUI.CPL" [00-06-18 13:03 106544 C:\WINNT\system32\TWEAKUI.CPL]
"MaxtorOneTouch"="E:\Program Files\Utils\OneTouch.exe" [04-08-31 09:23 823296]
"RetroExpress"="E:\PROGRA~1\RetroExpress.exe" [04-07-30 15:47 6946816]
"CTSysVol"="e:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [03-09-17 10:43 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-03-24 19:29 98304]
"avast!"="E:\AVASTP~1\ashDisp.exe" [07-12-04 08:00 79224]
"MediaFace Integration"="E:\CD Lables\SetHook.exe" [05-03-28 03:45 53248]
"NA1Messenger"="E:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [07-03-23 22:24 20480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MonacoGamma.lnk - E:\Program Files\Monaco\MonacoEZColor 2.0\MonacoGamma.exe [2004-12-06 21:01:02 217145]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-03 19:58:20 40960]
officejet 6100.lnk - C:\Program Files\HP\Digital Imaging\bin\hposol08.exe [2002-12-03 19:23:30 147456]
Logo Calibration Loader.lnk - E:\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2007-05-11 13:58:31 708608]
ProfileReminder.lnk - E:\Eye-One Match 3\ProfileReminder.exe [2007-05-11 13:58:32 954368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe
"QD FastAndSafe"=
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
"iTunesHelper"=E:\Program Files\iTunes\iTunesHelper.exe

R0 amdagp2k;AMD NB AGP Bus Filter;C:\WINNT\system32\DRIVERS\amdagp2k.sys [01-12-11 14:52 ]
R0 amdeide;amdeide;C:\WINNT\system32\DRIVERS\amdeide.sys [02-01-14 08:41 ]
R0 hpt374;hpt374;C:\WINNT\system32\DRIVERS\hpt374.sys [04-05-12 12:42 ]
R0 ROFF;ROFF;C:\WINNT\system32\drivers\ROFF.sys [03-06-09 10:00 ]
R1 classpnpp;classpnpp;C:\WINNT\system32\drivers\classpnpp.sys [08-02-01 10:48 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 09:56 ]
R2 IPMI_Driver;IPMI_Driver;C:\WINNT\system32\Drivers\ipmidrv.sys [02-10-09 18:27 ]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [05-05-04 00:04 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [03-08-01 07:45 ]
R2 PDIHWCTL;PDIHWCTL;C:\WINNT\system32\drivers\pdihwctl.sys [04-07-16 18:12 ]
R2 Timestone License Server;Timestone License Server;E:\Program Files\Timestone Software\License Server\tsLServer.exe [05-06-30 19:57 ]
R2 TSMDataEngine;TSMDataEngine;e:\Program Files\Tyan Computer Corp\Tyan System Monitor Server Agent\TSMDataEngine.exe [04-10-12 14:23 ]
R2 tyansmb;tyansmb;C:\WINNT\system32\Drivers\tyansmb.sys [04-09-13 15:10 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 14:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [03-08-01 07:45 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 12:00 ]
S3 eyeonedp;eye-one display;C:\WINNT\system32\DRIVERS\eyeonedp.sys [06-01-30 05:10 ]
S3 Lexar2K_JumpShotService;Lexar2K_JumpShotService;C:\WINNT\system32\DRIVERS\LEXAR2K.sys [02-10-29 16:09 ]
S3 Seqcal;Sequel Imaging Calibration Device: Chroma;C:\WINNT\system32\DRIVERS\Seqcal.sys [99-09-17 19:12 ]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [05-05-03 21:42 ]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 14:05 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 14:05 ]

*Newly Created Service* - CLASSPNPP
.
Contents of the 'Scheduled Tasks' folder
"2007-03-06 13:47:14 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1164829891.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 14:39:17
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\Ati2evxx.exe
E:\Avast Program\aswUpdSv.exe
E:\Avast Program\ashServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
E:\PROGRA~1\retrospect.exe
E:\PROGRA~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-02-06 14:40:13 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-06 19:40:12

[Blade81]

Hi

Start hjt, do a system scan, check:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close browsers and other windows. Click fix checked.


Delete old ComboFix.exe file on your desktop and download latest one to your desktop.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\classpnpp.sys
C:\WINNT\17PHolmes572.exe
C:\WINNT\17PHolmes1000106.exe

Driver::
classpnpp

Folder::
C:\temp\tn3
C:\Program Files\Dot1XCfg
C:\WINNT\system32\lis6
C:\WINNT\system32\kps5
C:\WINNT\system32\hs9
C:\WINNT\system32\tip4
C:\WINNT\system32\nGpxx01
C:\VundoFix Backups

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-

Save this as
CFScript




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[thepicman]

Did not delete 2 files and now I have popups :(

ComboFix 08-02.05.3 - Administrator 02/09/2008 17:15:52.4 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.778 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\system32\drivers\classpnpp.sys
C:\WINNT\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\temp\tn3
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\system32\drivers\classpnpp.sys . . . . failed to delete
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\hs9
C:\WINNT\system32\hs9\corab2130.exe
C:\WINNT\system32\kps5
C:\WINNT\system32\kps5\covstadcom7.exe
C:\WINNT\system32\lis6
C:\WINNT\system32\lis6\lenamd83122.exe
C:\WINNT\system32\nGpxx01
C:\WINNT\system32\nGpxx01\nGpxx011065.exe
C:\WINNT\system32\tip4
C:\WINNT\system32\drivers\classpnpp.sys . . . . failed to delete
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLASSPNPP
-------\classpnpp


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 17:18 . 08-02-09 17:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_278.dat
2008-02-09 17:18 . 08-02-09 17:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_22c.dat
2008-02-06 15:15 . 03-09-20 19:45 236,304 --a------ C:\kmd.exe
2008-02-05 11:33 . 08-02-07 00:08 644,660 ---h----- C:\WINNT\ShellIconCache
2008-02-04 22:17 . 08-02-04 22:17 167,545 --------- C:\WINNT\system32\drivers\core.cache.dsk
2008-02-04 14:37 . 08-02-04 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-04 10:42 . 08-02-04 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 10:41 . 08-02-04 10:42 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-02-01 15:37 . 08-02-06 15:15 2,506 --a------ C:\WINNT\wininit.ini
2008-02-01 15:21 . 08-02-01 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 10:50 . 08-02-01 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 10:48 . 08-02-01 10:48 86,016 --------- C:\WINNT\system32\drivers\classpnpp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 16:19 --------- d-----w C:\Program Files\Microsoft SQL Server
2005-03-23 22:35 271 ---h--w C:\Program Files\desktop.ini
2005-03-23 22:35 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [03-08-06 16:08 86016]
"Tweak UI"="TWEAKUI.CPL" [00-06-18 13:03 106544 C:\WINNT\system32\TWEAKUI.CPL]
"MaxtorOneTouch"="E:\Program Files\Utils\OneTouch.exe" [04-08-31 09:23 823296]
"RetroExpress"="E:\PROGRA~1\RetroExpress.exe" [04-07-30 15:47 6946816]
"CTSysVol"="e:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [03-09-17 10:43 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-03-24 19:29 98304]
"avast!"="E:\AVASTP~1\ashDisp.exe" [07-12-04 08:00 79224]
"MediaFace Integration"="E:\CD Lables\SetHook.exe" [05-03-28 03:45 53248]
"NA1Messenger"="E:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [07-03-23 22:24 20480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MonacoGamma.lnk - E:\Program Files\Monaco\MonacoEZColor 2.0\MonacoGamma.exe [2004-12-06 21:01:02 217145]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-03 19:58:20 40960]
officejet 6100.lnk - C:\Program Files\HP\Digital Imaging\bin\hposol08.exe [2002-12-03 19:23:30 147456]
Logo Calibration Loader.lnk - E:\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2007-05-11 13:58:31 708608]
ProfileReminder.lnk - E:\Eye-One Match 3\ProfileReminder.exe [2007-05-11 13:58:32 954368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe
"QD FastAndSafe"=
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
"iTunesHelper"=E:\Program Files\iTunes\iTunesHelper.exe

R0 amdagp2k;AMD NB AGP Bus Filter;C:\WINNT\system32\DRIVERS\amdagp2k.sys [01-12-11 14:52 ]
R0 amdeide;amdeide;C:\WINNT\system32\DRIVERS\amdeide.sys [02-01-14 08:41 ]
R0 hpt374;hpt374;C:\WINNT\system32\DRIVERS\hpt374.sys [04-05-12 12:42 ]
R0 ROFF;ROFF;C:\WINNT\system32\drivers\ROFF.sys [03-06-09 10:00 ]
R1 classpnpp;classpnpp;C:\WINNT\system32\drivers\classpnpp.sys [08-02-01 10:48 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 09:56 ]
R2 IPMI_Driver;IPMI_Driver;C:\WINNT\system32\Drivers\ipmidrv.sys [02-10-09 18:27 ]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [05-05-04 00:04 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [03-08-01 07:45 ]
R2 PDIHWCTL;PDIHWCTL;C:\WINNT\system32\drivers\pdihwctl.sys [04-07-16 18:12 ]
R2 Timestone License Server;Timestone License Server;E:\Program Files\Timestone Software\License Server\tsLServer.exe [05-06-30 19:57 ]
R2 TSMDataEngine;TSMDataEngine;e:\Program Files\Tyan Computer Corp\Tyan System Monitor Server Agent\TSMDataEngine.exe [04-10-12 14:23 ]
R2 tyansmb;tyansmb;C:\WINNT\system32\Drivers\tyansmb.sys [04-09-13 15:10 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 14:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [03-08-01 07:45 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 12:00 ]
S3 eyeonedp;eye-one display;C:\WINNT\system32\DRIVERS\eyeonedp.sys [06-01-30 05:10 ]
S3 Lexar2K_JumpShotService;Lexar2K_JumpShotService;C:\WINNT\system32\DRIVERS\LEXAR2K.sys [02-10-29 16:09 ]
S3 Seqcal;Sequel Imaging Calibration Device: Chroma;C:\WINNT\system32\DRIVERS\Seqcal.sys [99-09-17 19:12 ]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [05-05-03 21:42 ]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 14:05 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 14:05 ]

*Newly Created Service* - CLASSPNPP
.
Contents of the 'Scheduled Tasks' folder
"2007-03-06 13:47:14 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1164829891.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 17:19:38
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\Ati2evxx.exe
E:\Avast Program\aswUpdSv.exe
E:\Avast Program\ashServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
E:\Avast Program\ashWebSv.exe
E:\Avast Program\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
E:\PROGRA~1\retrospect.exe
E:\PROGRA~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-02-09 17:20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 22:20:26
ComboFix4.txt 2008-02-06 19:40:14
ComboFix3.txt 2008-02-06 19:46:42
ComboFix2.txt 2008-02-06 20:55:54

[Blade81]

Hi

Make a Bootlog
A bootlog is a file where windows writes down which drivers are loaded and which not during startup.
Using Windows explorer, see if you find c:\windows\ntbtlog.txt - If it exists, delete the file.

• Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok
• Click on the boot.ini tab and check the box that says /BOOTLOG
• Click Apply & Ok and reboot the PC (may take a bit longer to boot)
• After it reboots, you will get a message that msconfig has been used to change your start settings.
• In msconfig, Check Normal Startup on the GENERAL tab, and on the BOOT.INI tab, Uncheck /BOOTLOG. Click Apply, OK.
• When a message asks if you want to Reboot now, Click Exit Without Reboot. You don't need to.
• Using Windows Explorer, locate c:\windows\ntbtlog.txt and post the content of the file.

[thepicman]

Do you need new logfiles of anything other than combofix?

Thanks!

TPM

[thepicman]

Hi

[*]Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok

We seem to have been typing at the same time. This is a W2K box, no MSCONFIG, AFAIK?

-TPM

[Blade81]

Drats.. forgot you had win2000

To activate the boot logging feature, carry out the following steps:
1. While the white progress bar is going across the screen at system startup, press F8 to enter the Troubleshooting and Advanced Startup options.
2. Use the down arrow keys to move the highlight bar to "Enable Boot Logging"
3. Press ENTER on the item to select it and continue booting.

The log should be in c:\winnt\NTBTLOG.TXT file.

[thepicman]

Copied msconfig over from a XP box.

Here is ntbtlog:

Service Pack 4 2 10 2008 08:43:09.484
Loaded driver \WINNT\System32\ntoskrnl.exe
Loaded driver \WINNT\System32\hal.dll
Loaded driver \WINNT\System32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINNT\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINNT\System32\DRIVERS\1394BUS.SYS
Loaded driver PCIIde.sys
Loaded driver \WINNT\System32\Drivers\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver Diskperf.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver amdeide.sys
Loaded driver PartMgr.sys
Loaded driver atapi.sys
Loaded driver hpt374.sys
Loaded driver \WINNT\system32\DRIVERS\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \WINNT\System32\DRIVERS\CLASSPNP.SYS
Loaded driver ROFF.sys
Loaded driver Fastfat.sys
Loaded driver KSecDD.sys
Loaded driver NDIS.sys
Loaded driver sbp2port.sys
Loaded driver mup.sys
Loaded driver amdagp2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\Drivers\AFS2K.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdr4_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\DRIVERS\e1000nt5.sys
Loaded driver \SystemRoot\system32\DRIVERS\ctoss2k.sys
Loaded driver \SystemRoot\system32\DRIVERS\ctsfm2k.sys
Loaded driver \SystemRoot\system32\drivers\P17.sys
Loaded driver \SystemRoot\System32\DRIVERS\openhci.sys
Loaded driver \SystemRoot\System32\Drivers\ousbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanatw4.sys
Loaded driver \SystemRoot\System32\DRIVERS\parallel.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\ousb2hub.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Did not load driver \SystemRoot\System32\Drivers\tga.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\aswTdi.SYS
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\serial.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\System32\Drivers\PQNTDrv.SYS
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\drivers\classpnpp.sys
Loaded driver \SystemRoot\System32\Drivers\Aspi32.SYS
Loaded driver \SystemRoot\System32\Drivers\Aavmker4.SYS
Loaded driver \SystemRoot\System32\Drivers\Ntfs.SYS
Loaded driver \SystemRoot\System32\Drivers\EFS.SYS
Loaded driver \SystemRoot\system32\DRIVERS\atinmdxx.sys
Loaded driver \SystemRoot\system32\DRIVERS\atinrvxx.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \??\C:\WINNT\system32\drivers\Haspnt.sys
Did not load driver \SystemRoot\System32\Drivers\Rdndra2e.SYS
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\ASCTRM.SYS
Loaded driver \SystemRoot\System32\Drivers\aswMon.SYS
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver Fastfat.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \??\C:\WINNT\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \??\C:\WINNT\system32\Drivers\ipmidrv.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINNT\system32\drivers\pdihwctl.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\WINNT\system32\drivers\PfModNT.sys
Loaded driver \SystemRoot\System32\Drivers\Stltrk2k.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \??\C:\WINNT\system32\Drivers\tyansmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\Drivers\aswRdr.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys